Forgot your password?
typodupeerror

Follow Slashdot stories on Twitter

Encryption

CNN iPhone App Sends iReporters' Passwords In the Clear 39

Posted by Unknown Lamer
from the safe-reporting dept.
chicksdaddy (814965) writes The Security Ledger reports on newly published research from the firm zScaler that reveals CNN's iPhone application transmits user login session information in clear text. The security flaw could leave users of the application vulnerable to having their login credential snooped by malicious actors on the same network or connected to the same insecure wifi hotspot. That's particularly bad news if you're one of CNN's iReporters — citizen journalists — who use the app to upload photos, video and other text as they report on breaking news events. According to a zScaler analysis, CNN's app for iPhone exposes user credentials in the clear both during initial setup of the account and in subsequent mobile sessions. The iPad version of the CNN app is not affected, nor is the CNN mobile application for Android. A spokesman for CNN said the company had a fix ready and was working with Apple to have it approved and released to the iTunes AppStore.
Verizon

Deaf Advocacy Groups To Verizon: Don't Kill Net Neutrality On Our Behalf 74

Posted by Soulskill
from the or-on-your-behalf dept.
Dega704 sends this quote from Ars: No company has lobbied more fiercely against network neutrality than Verizon, which filed the lawsuit that overturned the FCC's rules prohibiting ISPs from blocking and discriminating against Web content. But the absence of net neutrality rules isn't just good for Verizon—it's also good for the blind, deaf, and disabled, Verizon claims. That's what Verizon lobbyists said in talks with congressional staffers, according to a Mother Jones report last month. "Three Hill sources tell Mother Jones that Verizon lobbyists have cited the needs of blind, deaf, and disabled people to try to convince congressional staffers and their bosses to get on board with the fast lane idea," the report said. With "fast lanes," Web services—including those designed for the blind, deaf, and disabled—could be prioritized in exchange for payment. Now, advocacy groups for deaf people have filed comments with the FCC saying they don't agree with Verizon's position."
Electronic Frontier Foundation

EFF Releases Wireless Router Firmware For Open Access Points 56

Posted by Soulskill
from the secure-is-as-secure-does dept.
klapaucjusz writes: The EFF has released an experimental router firmware designed make it easy to deploy open (password-less) access points in a secure manner. The EFF's firmware is based on the CeroWRT fork of OpenWRT, but appears to remove some of its more advanced routing features. The EFF is asking for help to further develop the firmware. They want the open access point to co-exist on the same router as your typical private and secured access point. They want the owner to be able to share bandwidth, but with a cap, so guests don't degrade service for the owner. They're also looking to develop a network queueing, a minimalist web UI, and an auto-update mechanism. The EFF has also released the beta version of a plug-in called Privacy Badger for Firefox and Chrome that will prevent online advertisers from tracking you.
United Kingdom

UK Users Overwhelmingly Spurn Broadband Filters 113

Posted by timothy
from the but-it's-a-free-service dept.
nk497 (1345219) writes "Broadband customers are overwhelmingly choosing not to use parental-control systems foisted on ISPs by the government — with takeup in the single-digits for three of the four major broadband providers. Last year, the government pushed ISPs to roll out network-level filters, forcing new customers to make an "active" decision about whether they want to use them or not. Only 5% of new BT customers signed up, 8% opted in for Sky and 4% for Virgin Media. TalkTalk rolled out a parental-control system two years before the government required it and has a much better takeup, with 36% of customers signing up for it. The report, from regulator Ofcom, didn't bother to judge if the filters actually work, however."
Operating Systems

Exodus Intelligence Details Zero-Day Vulnerabilities In Tails OS 130

Posted by timothy
from the compared-to-what? dept.
New submitter I Ate A Candle (3762149) writes Tails OS, the Tor-reliant privacy-focused operating system made famous by Edward Snowden, contains a number of zero-day vulnerabilities that could be used to take control of the OS and execute code remotely. At least that's according to zero-day exploit seller Exodus Intelligence, which counts DARPA amongst its customer base. The company plans to tell the Tails team about the issues "in due time", said Aaron Portnoy, co-founder and vice president of Exodus, but it isn't giving any information on a disclosure timeline. This means users of Tails are in danger of being de-anonymised. Even version 1.1, which hit public release today (22 July 2014), is affected. Snowden famously used Tails to manage the NSA files. The OS can be held on a USB stick and leaves no trace once removed from the drive. It uses the Tor network to avoid identification of the user, but such protections may be undone by the zero-day exploits Exodus holds.
Security

AirMagnet Wi-Fi Security Tool Takes Aim At Drones 52

Posted by timothy
from the command-and-control-is-next dept.
alphadogg (971356) writes "In its quest to help enterprises seek out and neutralize all threats to their Wi-Fi networks, AirMagnet is now looking to the skies. In a free software update to its AirMagnet Enterprise product last week, the Wi-Fi security division of Fluke Networks added code specifically crafted to detect the Parrot AR Drone, a popular unmanned aerial vehicle that costs a few hundred dollars and can be controlled using a smartphone or tablet. Drones themselves don't pose any special threat to Wi-Fi networks, and AirMagnet isn't issuing air pistols to its customers to shoot them down. The reason the craft are dangerous is that they can be modified to act as rogue access points and sent into range of a victim's wireless network, potentially breaking into a network to steal data."
Microsoft

No RIF'd Employees Need Apply For Microsoft External Staff Jobs For 6 Months 275

Posted by Unknown Lamer
from the no-workers-rights-for-you dept.
theodp (442580) writes So, what does Microsoft do for an encore after laying off 18,000 employees with a hilariously bad memo? Issue another bad memo — Changes to Microsoft Network and Building Access for External Staff — "to introduce a new policy [retroactive to July 1] that will better protect our Microsoft IP and confidential information." How so? "The policy change affects [only] US-based external staff (including Agency Temporaries, Vendors and Business Guests)," Microsoft adds, "and limits their access to Microsoft buildings and the Microsoft corporate network to a period of 18 months, with a required six-month break before access may be granted again." Suppose Microsoft feels that's where the NSA went wrong with Edward Snowden? And if any soon-to-be-terminated Microsoft employees hope to latch on to a job with a Microsoft external vendor to keep their income flowing, they best think again. "Any Microsoft employee who separated from Microsoft on or after July 1, 2014," the kick-em-while-they're-down memo explains, "will be required to take a minimum 6-month break from access between the day the employee separates from Microsoft and the date when the former employee may begin an assignment as an External Staff performing services for Microsoft." Likely not just to prevent leaks, but also to prevent any contractors from being reclassified as employees.
Facebook

The Loophole Obscuring Facebook and Google's Transparency Reports 18

Posted by samzenpus
from the fuzzy-math dept.
Jason Koebler writes The number of law enforcement requests coming from Canada for information from companies like Facebook and Google are often inaccurate thanks to a little-known loophole that lumps them in with U.S. numbers. For example, law enforcement and government agencies in Canada made 366 requests for Facebook user data in 2013, according to the social network's transparency reports. But that's not the total number. An additional 16 requests are missing, counted instead with U.S. requests thanks to a law that lets Canadian agencies make requests with the U.S. Department of Justice.
Google

The "Rickmote Controller" Can Hijack Any Google Chromecast 131

Posted by samzenpus
from the never-going-to-give-you-up dept.
redletterdave writes Dan Petro, a security analyst for the Bishop Fox IT consulting firm, built a proof of concept device that's able to hack into any Google Chromecasts nearby to project Rick Astley's "Never Gonna Give You Up," or any other video a prankster might choose. The "Rickmote," which is built on top of the $35 Raspberry Pi single board computer, finds a local Chromecast device, boots it off the network, and then takes over the screen with multimedia of one's choosing. But it gets worse for the victims: If the hacker leaves the range of the device, there's no way to regain control of the Chromecast. Unfortunately for Google, this is a rather serious issue with the Chromecast device that's not too easy to fix, as the configuration process is an essential part of the Chromecast experience.
Cellphones

Why My LG Optimus Cellphone Is Worse Than It's Supposed To Be 288

Posted by samzenpus
from the no-sir-I-don't-like-it dept.
Bennett Haselton writes My LG Optimus F3Q was the lowest-end phone in the T-Mobile store, but a cheap phone is supposed to suck in specific ways that make you want to upgrade to a better model. This one is plagued with software bugs that have nothing to do with the cheap hardware, and thus lower one's confidence in the whole product line. Similar to the suckiness of the Stratosphere and Stratosphere 2 that I was subjected to before this one, the phone's shortcomings actually raise more interesting questions — about why the free-market system rewards companies for pulling off miracles at the hardware level, but not for fixing software bugs that should be easy to catch. Read below to see what Bennett has to say.
China

China Has More People Going Online With a Mobile Device Than a PC 58

Posted by samzenpus
from the surfing-on-the-go dept.
An anonymous reader points out that even though China's internet adoption rate is the lowest it's been in 8 years, the number of people surfing the net from a mobile device has never been higher. "The number of China's internet users going online with a mobile device — such as a smartphone or tablet — has overtaken those doing so with a personal computer (PC) for the first time, said the official China Internet Network Information Center (CNNIC) on Monday. China's total number of internet users crept up 2.3 percent to 632 million by the end of June, from 618 million at the end of 2013, said CNNIC's internet development statistics report. Of those, 527 million — or 83 percent — went online via mobile. Those doing so with a PC made up 81 percent the total. China is the largest smartphone market in the world, and by 2018 is likely to account for nearly one-third of the expected 1.8 billion smartphones shipped that year, according to data firm IDC.
Security

Critroni Crypto Ransomware Seen Using Tor for Command and Control 122

Posted by samzenpus
from the protect-ya-neck dept.
Trailrunner7 writes There's a new kid on the crypto ransomware block, known as Critroni, that's been sold in underground forums for the last month or so and is now being dropped by the Angler exploit kit. The ransomware includes a number of unusual features and researchers say it's the first crypto ransomware seen using the Tor network for command and control.

The Critroni ransomware is selling for around $3,000 and researchers say it is now being used by a range of attackers, some of whom are using the Angler exploit kit to drop a spambot on victims' machines. The spambot then downloads a couple of other payloads, including Critroni. Once on a victim's PC, Critroni encrypts a variety of files, including photos and documents, and then displays a dialogue box that informs the user of the infection and demands a payment in Bitcoins in order to decrypt the files.

"It uses C2 hidden in the Tor network. Previously we haven't seen cryptomalware having C2 in Tor. Only banking trojans," said Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, who has been researching this threat. "Executable code for establishing Tor connection is embedded in the malware's body. Previously the malware of this type, this was usually accomplished with a Tor.exe file. Embedding Tor functions in the malware's body is a more difficult task from the programming point of view, but it has some profits, because it helps to avoid detection, and it is more efficient in general."
The Almighty Buck

New Digital Currency Bases Value On Reputation 100

Posted by Soulskill
from the for-everyone-who-wanted-to-rep-grind-in-real-life dept.
An anonymous reader writes: If digital currencies are fundamentally different than physical ones, why do they work in the same way? That's a question being asked by Couchbase co-founder J. Chris Anderson, who's building a currency and transaction system where reputation is the fundamental unit of value. "Unlike with bitcoin—which keeps its currency scarce by rewarding it only to those who participate in what amounts to a race to solve complex cryptographic puzzles—anyone will be able to create a new Document Coin anytime they want. The value of each coin will be completely subjective, depending on who creates the coin and why. 'For example, the coin my disco singer friend created and gave me at my barbeque might be what gets me past the rope at the club,' Anderson says. A coin minted by tech pundit Tim O'Reilly might be highly prized in Silicon Valley circles, but of little interest to musicians. 'It's a bit like a combination of a social network with baseball trading.'" Anderson isn't aiming to supplant Bitcoin, or even challenge the money-exchange model that drives society. But he's hoping it will change the way people think about currency, and open up new possibilities for how we interact with each other.
Verizon

Verizon's Accidental Mea Culpa 389

Posted by Soulskill
from the information-wants-to-be-hamstrung dept.
Barryke writes: Verizon has blamed Netflix for the streaming slowdowns their customers have been seeing. It seems the Verizon blog post defending this accusation has backfired in a spectacular way: The chief has clearly admitted that Verizon has capacity to spare, and is deliberately constraining throughput from network providers. Level3, a major ISP that interconnects with Verizon's networks, responded by showing a diagram that visualizes the underpowered interconnect problem and explaining why Verizon's own post indicates how it restricts data flow. Level3 also offered to pay for the necessary upgrades to Verizon hardware: "... these cards are very cheap, a few thousand dollars for each 10 Gbps card which could support 5,000 streams or more. If that's the case, we'll buy one for them. Maybe they can't afford the small piece of cable between our two ports. If that's the case, we'll provide it. Heck, we'll even install it." I'm curious to see Verizon's response to this straightforward accusation of throttling paying users (which tech-savvy readers were quick to confirm).
Networking

MIT May Have Just Solved All Your Data Center Network Lag Issues 83

Posted by Unknown Lamer
from the hierarchy-beats-anarchy dept.
alphadogg (971356) writes A group of MIT researchers say they've invented a new technology that should all but eliminate queue length in data center networking. The technology will be fully described in a paper presented at the annual conference of the ACM Special Interest Group on Data Communication. According to MIT, the paper will detail a system — dubbed Fastpass — that uses a centralized arbiter to analyze network traffic holistically and make routing decisions based on that analysis, in contrast to the more decentralized protocols common today. Experimentation done in Facebook data centers shows that a Fastpass arbiter with just eight cores can be used to manage a network transmitting 2.2 terabits of data per second, according to the researchers.
Government

Telcos Move Net Neutrality Fight To Congress 52

Posted by Soulskill
from the putting-the-money-where-it-counts dept.
Presto Vivace writes: "Public Knowledge is rallying its supporters after learning that some House members plan to try and add an amendment to H.R. 5016, the Financial Services and General Government Appropriations Act to block funding of FCC network neutrality rules. H.R. 5016 is the bill that keeps funding the government and whose failure to pass can shut it down. The White House has already said it opposed the existing FCC budget cuts and threatened a veto of a bill it says politicized the budget process." Public Knowledge is asking citizens to tell Congress to stop meddling with net neutrality. In a way this is a good sign. It is an indication that the telcos think that they will lose the current FCC debate. Meanwhile, the FCC's deadline for comments about net neutrality has arrived, and the agency's servers buckled after recording over 670,000 of them. The deadline has been extended until midnight on Friday.
HP

HP Claims Their Moonshot System is a 'New Style of IT' (Video) 68

Posted by Roblimo
from the my-server-uses-less-power-than-yours dept.
Didn't we already have something kind of like this called a Blade server? But this is better! An HP Web page devoted to Moonshot says, 'Compared to traditional servers, up to: 89% less energy; 80% less space; 77% less cost; and 97% less complex.' If this is all true, the world of servers is now undergoing a radical change. || A quote from another Moonshot page: "The HP Moonshot 1500 Chassis has 45 hot-pluggable servers installed and fits into 4.3U. The density comes in part from the low-energy, efficient processors. The innovative chassis design supports 45 servers, 2 network switches, and supporting components.' These are software-defined servers. HP claims they are the first ones ever, a claim that may depend on how you define "software-defined." And what software defines them? In this case, at Texas Linux Fest, it seems to be Ubuntu Linux. (Alternate Video Link)
Networking

OpenWRT 14.07 RC1 Supports Native IPv6, Procd Init System 70

Posted by Unknown Lamer
from the bofh-excuse-#3847-replacing-router-os dept.
An anonymous reader writes Release Candidate One of OpenWRT 14.07 "Barrier Breaker" is released. Big for this tiny embedded Linux distribution for routers in 14.07 is native IPv6 support and the procd init system integration. The native IPv6 support is with the RA and DHCPv6+PD client and server support plus other changes. Procd is OpenWRT's new preinit, init, hotplug, and event system. Perhaps not too exciting is support for upgrading on devices with NAND, and file system snapshot/restore so you can experiment without fear of leaving your network broken. There's also experimental support for the musl standard C library.
Networking

Led By Nest, 'Thread' Might Be Most Promising IoT Initiative Yet 79

Posted by Unknown Lamer
from the n+1-standards dept.
An anonymous reader writes Nest, Big A%@ Fans, Yale door locks, ARM, Freescale, Samsung and Silicon Labs launch the Thread Group, a standards initiative for using 6LoWPAN-based network technology with mesh capabilities optimized for home automation. Because it blends IPv6 with low-power 802.15.4 radios, a layer of security, peer-to-peer communications, and other special sauce for whole-house connectivity, Thread looks extremely promising in an increasingly crowded field. Plus, millions of units of enabled products are already deployed by way of Nest's little-known Weave technology. There's a press release. Thread is based on open technology, but it's not clear that the protocol specifications will be available for non-members. No hardware changes are required for devices with 802.15.4 radios, and the group claims the new protocol fixes enough flaws in existing standards (mostly ZigBee) to be worth the software upgrade. Promises include increased reliability (mesh network with multiple routing points), lower power use (by not requiring sensors to wake up for traffic from other sensors), and easier bridging between the mesh network and Internet (thanks to using IPv6).
China

Chinese Hackers Infiltrate Firms Using Malware-Laden Handheld Scanners 93

Posted by timothy
from the location-location-location dept.
wiredmikey (1824622) writes China-based threat actors are using sophisticated malware installed on handheld scanners to target shipping and logistics organizations from all over the world. According to security firm TrapX, the attack begins at a Chinese company that provides hardware and software for handheld scanners used by shipping and logistics firms worldwide to inventory the items they're handling. The Chinese manufacturer installs the malware on the Windows XP operating systems embedded in the devices.

Experts determined that the threat group targets servers storing corporate financial data, customer data and other sensitive information. A second payload downloaded by the malware then establishes a sophisticated C&C on the company's finance servers, enabling the attackers to exfiltrate the information they're after. The malware used by the Zombie Zero attackers is highly sophisticated and polymorphic, the researchers said. In one attack they observed, 16 of the 48 scanners used by the victim were infected, and the malware managed to penetrate the targeted organization's defenses and gain access to servers on the corporate network. Interestingly, the C&C is located at the Lanxiang Vocational School, an educational institution said to be involved in the Operation Aurora attacks against Google, and which is physically located only one block away from the scanner manufacturer, TrapX said.

"Catch a wave and you're sitting on top of the world." - The Beach Boys

Working...